CVE-2017-3159

CWE-502Deserialization of Untrusted Data7 documents7 sources
Severity
9.8CRITICAL
EPSS
2.8%
top 13.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CamelApache Software Foundation Apache Camel
Timeline
PublishedMar 7
Latest updateOct 16

Description

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.camel:camel-snakeyaml2.18.02.18.2+1
NVDapache/camel2.17.02.17.4+2
CVEListV5apache_software_foundation/apache_camel2.17.0 to 2.17.4, 2.18.0 to 2.18.1, The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.+2

🔴Vulnerability Details

3
GHSA
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization2018-10-16
OSV
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization2018-10-16
CVEList
CVE-2017-3159: Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability2017-03-07

📋Vendor Advisories

2
Red Hat
camel-snakeyaml: Unmarshalling operation is vulnerable to RCE2016-12-08
Apache
Apache camel: CVE-2017-3159

💬Community

1
Bugzilla
CVE-2017-3159 camel-snakeyaml: Unmarshalling operation is vulnerable to RCE2017-02-09